b"  Federal Communications Commission\n       Office of Inspector General\n\n\n\n\nFY 2003 Federal Information Security Management Act\n          (FISMA) Independent Evaluation\n\n\n                   September 22, 2003\n\x0c                        TABLE OF CONTENTS\n\n                                                                 Page\n\n\nEXECUTIVE SUMMARY                                                  2\n\n\nBACKGROUND                                                         3\n\n\nOBJECTIVE                                                          3\n\n\nSCOPE                                                              4\n\n\nRESULTS OF FISCAL YEAR 2003 INDEPENDENT EVALUATIONS                5\n\n\nAPPENDIX A          OIG Responses to OMB M-03-19 GISRA\n                    Reporting Questions                          A-1\n\nAPPENDIX B          Report on Follow-up Audit of Computer\n                    Controls at the FCC Consumer Center (Audit\n                    Report No. 01-AUD-07-30)                     B-1\n\n\n\n\n                                                                        1\n\x0cExecutive Summary\nThe Federal Information Security Management Act (\xe2\x80\x98FISMA\xe2\x80\x99 or \xe2\x80\x98the Act\xe2\x80\x99) was signed into law\non December 17, 2002 as Title III, \xe2\x80\x9cInformation Security\xe2\x80\x9d, of the E- Government Act of 2002.\nThe Act permanently re-authorizes the framework established by the Government Information\nSecurity Reform Act (GISRA), which expired in November 2002.\n\nFISMA requires all federal agency heads to transmit to the Office of Management and Budget\n(OMB) an annual agency report consisting of separate components prepared by the agency Chief\nInformation Officer (CIO) and the Office of Inspector General (IG). A key provision of the Act\nalso requires that the agency IG, or independent evaluators designated by the IG, perform an\nannual independent evaluation of the agency\xe2\x80\x99s information security program and practices. For\nfiscal year (FY) 2003, the Federal Communications Commission\xe2\x80\x99s (\xe2\x80\x9cCommission\xe2\x80\x9d or \xe2\x80\x9cFCC\xe2\x80\x9d) IG\nengaged KPMG, LLP to conduct its independent evaluation.\n\nThe overall objective of the FISMA independent evaluation was to evaluate the effectiveness of\nthe Commission\xe2\x80\x99s information security program. Generally, we found the Commission\xe2\x80\x99s\ninformation technology security to be effective. We used the National Institute of Standards and\nTechnology (NIST) \xe2\x80\x9cSelf-Assessment Guide for Information Technology Systems (Self-\nAssessment Guide 800-26)\xe2\x80\x9d as a basis for our methodology to assess the risk for each component\nof the FCC\xe2\x80\x99s program. As applicable, additional guidance was received from methodology\nprovided in the Federal Information Systems Control Audit Manual (FISCAM), as well as other\nlaws and directives related to management and protection of Federal information resources.\n\nThis year\xe2\x80\x99s independent evaluation included an assessment of the agency\xe2\x80\x99s Plan of Actions and\nMilestones (POA&M) process and an aging study. The aging study was performed to identify\nthe length of time that POA&M weaknesses remain open and determine how effective the\nagency is in implementing corrective actions. We noted that the FCC effectively monitors and\ntracks all known weaknesses via the POA&M. However, only one-third of the corrective actions\nare completed on track and 63% have experienced or are experiencing delays. Our study\nidentified that significant delays are encountered when implementing defined corrective actions.\n\nOMB Memoranda M-03-19 dated August 6, 2003 entitled, \xe2\x80\x9cReporting Instructions for the\nFederal Information Security Management Act and Updated Guidance of Quarterly IT Security\nReporting\xe2\x80\x9d was followed to perform and report the results of our independent evaluation.\nAppendix A provides the IG\xe2\x80\x99s responses to OMB\xe2\x80\x99s questions that address high-level\nperformance measures of the FCC\xe2\x80\x99s information security program and practices. We plan to\nissue the final detailed findings and recommendations from this year\xe2\x80\x99s FISMA independent\nevaluation by November 30, 2003.\n\nFISMA also requires that IGs select an appropriate subset of business applications for\nindependent review. Our Follow-up Audit of Computer Controls at the FCC Consumer Center\nand FY 2003 Audit of Revenue Accounting and Management Information System (RAMIS)\nApplication Controls satisfy this requirement. Appendix B forwards the final report on our\nFollow-up Audit of Computer Controls at the FCC Consumer Center (Audit Report No. 01-\nAUD-07-30). The audit of RAMIS application and security controls has been substantially\ncompleted. A final report of detailed findings and recommendations is planned for November\n30, 2003.\n\n\n                                                                                               2\n\x0cBackground\nThe Federal Information Security Management Act (hereafter referred to as \xe2\x80\x98FISMA\xe2\x80\x99 or \xe2\x80\x98the\nAct\xe2\x80\x99) was signed into law on December 17, 2002 as Title III, \xe2\x80\x9cInformation Security\xe2\x80\x9d of the\nElectronic Government Act of 2002. FISMA permanently re-authorizes the framework\nestablished by the Government Information Security Reform Act (GISRA), which expired in\nNovember 2002. The requirements of the Act apply to all federal agencies.\n\nThe Act requires each federal agency head to transmit to the Director of the Office of\nManagement and Budget (OMB) an annual report of high-level performance measures on its\ninformation security program. The agency report consists of two separate components that are\nprepared by the agency Chief Information Officer (CIO) and the Office of Inspector General\n(IG). The CIO\xe2\x80\x99s report provides the results of annual system and program reviews as well\nprogress in implementing the agency\xe2\x80\x99s POA&Ms. The IG\xe2\x80\x99s report summarizes the results of\nindependent evaluations performed during the fiscal year and the agency\xe2\x80\x99s progress in\nimplementing Plans of Actions & Milestones (POA&M).\n\nA key provision of the Act requires that the agency Office of Inspector General (IG), or\nindependent evaluators designated by the IG, perform an annual independent evaluation of the\nagency\xe2\x80\x99s information security program and practices. For fiscal year (FY) 2003, the Federal\nCommunications Commission\xe2\x80\x99s (\xe2\x80\x9cthe Commission\xe2\x80\x9d or \xe2\x80\x9cFCC\xe2\x80\x9d) IG engaged KPMG, LLP to\nconduct the independent evaluation of the FCC\xe2\x80\x99s information security program and practices.\n\nOMB Memoranda M-03-19 dated August 6, 2003 and entitled, \xe2\x80\x9cReporting Instructions for the\nFederal Information Security Management Act and Updated Guidance of Quarterly IT Security\nReporting\xe2\x80\x9d, was followed to perform and report the results of our independent evaluation.\n\nEvaluation Objective\n\nThe objectives of the current year\xe2\x80\x99s FISMA independent evaluation and risk assessment were to:\n\n1. Evaluate the effectiveness of the Commission\xe2\x80\x99s information security program through the use\n   of FISMA security assessment tools.\n\n2. Prepare the annual submission in accordance with the reporting requirements mandated by\n   OMB Memorandum M-03-19, dated August 6, 2003 and entitled, \xe2\x80\x9cReporting Instructions for\n   the Federal Information Security Management Act and Updated Guidance of quarterly IT\n   Security Reporting.\xe2\x80\x9d\n\n3. Follow-up on the findings identified during the FY 2001 and FY 2002 GISRA reviews that\n   are documented in prior FCC IG audit reports (Report Nos. 01-AUD-11-43 and 02-AUD-02-\n   06).\n\nTo accomplish the objectives of the review we specifically included the following tasks:\n\n   1. Review documentation and interview communication, developers, and system\n      management personnel to obtain an understanding of the IT structure and operational\n      environment;\n\n\n                                                                                               3\n\x0c   2. Design and conduct tests appropriate for a FISMA review. For FY 2003 these tests\n      included:\n          a. A review of the Commission\xe2\x80\x99s Plans of Action and Milestones, POA&Ms, to\n             determine if POA&Ms include all findings.\n          b. An aging of POA&M findings to determine the length of time vulnerabilities have\n             remained open.\n          c. An analysis of the FCC\xe2\x80\x99s process for testing for vulnerabilities to determine if the\n             FCC has a process to test for significant information security vulnerabilities on a\n             systematic basis.\n          d. An assessment of the FCC\xe2\x80\x99s certification and accreditation (C&A) process.\n          e. An aging of completed C&As to determine how long C&As operate under interim\n             authority to operate at the FCC.\n\n   3. Review the effectiveness of application security for a sample of applications;\n\n   4. Classify and rank security risk areas and vulnerabilities;\n\n   5. Make recommendations for specific improvements to security, as appropriate; and\n\n   6. Identify areas for review in subsequent years.\n\nEvaluation Scope\n\nThe scope of our independent evaluation included the security infrastructure managed by the\nOffice of Managing Director\xe2\x80\x99s (OMD) Information Technology Center (ITC) and the Auctions\nAutomation Branch of the Commission\xe2\x80\x99s Wireless Telecommunications Bureau (WTB).\n\nOur procedures were designed to comply with applicable auditing standards and guidelines,\nspecifically the Generally Accepted Government Auditing Standards (GAGAS).\n\nThe evaluation methodology used was the National Institute of Standards and Technology\n(NIST) \xe2\x80\x9cSelf-Assessment Guide for Information Technology Systems (Self-Assessment Guide)\xe2\x80\x9d.\nAs applicable, the methodology prescribed by the Federal Information Security Control Audit\nManual (FISCAM) was used to assess management, operational, and technical controls during\nour risk assessment, as well as the following laws and directives related to management and\nprotection of Federal information resources:\n\n   \xc2\x84   Presidential Decision Directive (PDD) 63, entitled \xe2\x80\x9cCritical Infrastructure Protection.\xe2\x80\x9d\n   \xc2\x84   PDD-67, entitled \xe2\x80\x9cContinuity of Operations Planning (COOP).\xe2\x80\x9d\n   \xc2\x84   OMB Circular A-130, entitled \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d as\n       revised on November 30, 2000.\n   \xc2\x84   OMB M-01-08, entitled \xe2\x80\x9cGuidance on Implementing the Government Information\n       Security Reform Act,\xe2\x80\x9d dated January 16, 2001.\n   \xc2\x84   OMB M-97-16, entitled \xe2\x80\x9cInformation Technology Architectures.\xe2\x80\x9d\n   \xc2\x84   OMB M-97-02, entitled \xe2\x80\x9cFunding Information Systems Investments.\xe2\x80\x9d\n   \xc2\x84   FCC Instruction 1479.2, \xe2\x80\x9cComputer Security Program Directive.\xe2\x80\x9d\n   \xc2\x84   NIST Special Publication 800-37, entitled \xe2\x80\x9cGuidelines for the Security Certification and\n       Accreditation of Federal Information Technology Systems\xe2\x80\x9d, October 2002 (DRAFT).\n\n\n                                                                                                  4\n\x0cFISMA also requires that IGs select an appropriate subset of business applications for\nindependent review. Our Follow-up Audit of Computer Controls at the FCC Consumer Center\nand FY 2003 Audit of Revenue Accounting and Management Information System (RAMIS)\nApplication Controls satisfy this requirement. The report on the results of the Consumer Center\nfollow-up audit is included with this report as Appendix B. The audit of RAMIS application and\nsecurity controls has been substantially completed. A final report of detailed findings and\nrecommendations is planned for November 30, 2003.\n\n\nResults of FY2003 IG Independent Evaluations\nThe FCC continues to make progress in strengthening its information security program. In the\ncurrent fiscal year the FCC\xe2\x80\x99s Computer Security Program revised its methodology for certifying\nand accrediting its major applications and general support systems. The revised methodology is\ndesigned to more effectively identify and address risks and ensure the security of resources in the\noperational environment. Specific accomplishments in the current fiscal year include the\nfollowing:\n\n\xc2\x84   Security tests and evaluation (ST&Es) were re-performed for 53% of the agency\xe2\x80\x99s major\n    applications and general support systems.\n\n\xc2\x84   Eight (8) systems were authorized for processing following certification and accreditation.\n    At the close of the prior year none of the Commission\xe2\x80\x99s systems had been certified and\n    accredited.\n\nWhile these efforts demonstrate the Commission\xe2\x80\x99s commitment to information security, the lack\nof an IT Continuity of Operation Plan (COOP) represents a risk to the security posture of the\nagency. Completion of the overall ITC COOP, which is in draft, will further strengthen the\nFCC\xe2\x80\x99s information security program. The FCC has contracted an outside vendor to assist with\nthe development of the plan, which will address all major applications and general support\nsystems. However, the plan is significantly behind schedule.\n\nAdditional observations of the Commission\xe2\x80\x99s information security program identified during\nFY2003 IG independent evaluations are discussed below. Some observations are specific to the\noverall security program, while others address specific systems and information resources.\n\nFY2003 FISMA Independent Evaluation and Risk Assessment\nThe IG has prepared responses to OMB\xe2\x80\x99s questions that report upon high-level performance\nmeasures of the Commission\xe2\x80\x99s information security program and practices. The responses are\nbased upon the results of our FY 2003 independent evaluation. Some questions were not\nnecessarily specific to the agency\xe2\x80\x99s information security program addressed by the scope of our\naudit. In these cases, we have relied upon information provided by the appropriate agency\nbureaus and offices. The IG accepted the information provided without performing further\nvalidation. Appendix A to this report provides the IG\xe2\x80\x99s annual submission of responses to OMB\nquestions in the required format.\n\nOur current year FISMA independent evaluation of the FCC\xe2\x80\x99s information security program will\nresult in a detailed report that will (1) identify and rank the critical security risk factors, and (2)\nprovide observations and recommendations for improvements to the agency\xe2\x80\x99s information\nsecurity program, if any. The assessment is substantially complete and the final report is\n                                                                                                        5\n\x0cexpected to be issued by November 30, 2003.\n\nIncluded as a component of the FY2003 independent evaluation was an evaluation of the\nagency\xe2\x80\x99s POA&M process and an aging study. The aging study was performed to identify the\nlength of time that POA&M weaknesses remain open and how effective the agency is in\nimplementing corrective actions for identified deficiencies. Included in the scope of the aging\nstudy were current fiscal year and all prior year quarterly POA&Ms issued by the FCC. On a\npositive note, the Commission has corrected last year\xe2\x80\x99s Government Information Security\nReform Act (GISRA) independent evaluation finding that reported that not all known\nweaknesses were included in the agency POA&Ms. Additionally, FCC management has\nappropriately outlined corrective actions for remediation of each weakness reported in the\nPOA&Ms.\n\nWhile FCC management continues to effectively monitor and track the progress of the corrective\nactions planned for all known security weaknesses, the results of our aging study indicate that the\ntimely remediation of weaknesses should be improved upon. The summary of our aging study is\nprovided in the following table:\n\n\n                                  Summary of POA&M Aging Study\n                                                   # Weaknesses          % Weaknesses\n          Total Number of Weakness\n                                                        48                   100%\n          Reported by Agency POA&Ms\n             Number of Corrective Actions\n                                                        16                    33%\n             Completed On Time\n             Number of Corrective Actions\n                                                        10                    21%\n             Delayed and Completed\n             Number of Corrective Actions\n             that are On-going and On-track              2                     4%\n             for Remediation\n             Number of Corrective Actions\n                                                        20                    42%\n             Delayed and Not Completed\n\n                 Delays Encountered                # Weaknesses          % Weaknesses\n                     1-3 months                         4                   13%\n                    6 \xe2\x80\x93 12 months                      13                   43%\n                   13 \xe2\x80\x93 18 months                      10                   33%\n                   19 \xe2\x80\x93 24 months                       1                    3%\n                   Over 24 months                       2                    7%\n\nAs indicated above, very few corrective actions designed to correct security weaknesses are\ncompleted on track. Our study identified that significant delays are encountered when\nimplementing defined corrective actions. In total, 48 weaknesses have been reported by the\nagency POA&Ms. Corrective actions have been reported as completed on time for 16 (33%)of\nreported weaknesses and 2 (4%) were reported as on track for completion. Of the total security\nweaknesses for which POA&Ms have been developed, corrective actions for 30 (63%) have\nexperienced or are experiencing delays. Implementation of planned corrective actions were\ndelayed between 1 and 3 months for 4 (13%) of the identified weaknesses; 13 (43%) were\ndelayed between 6 and 12 months; 10 (33%) were delayed between 13 and 18 months; and 3\n(10%) were delayed between 19 and 24 months.\n\n\n                                                                                                  6\n\x0cFollow-up Audit on Computer Controls as the FCC Consumer Center\nWe performed a follow-up audit on Audit Report No. 00-AUD-01-12 dated June 21, 2001\nentitled \xe2\x80\x9cReport on Audit of Computer Controls at the FCC National Call Center.\xe2\x80\x9d The original\nreport noted that significant technical control and internal control improvements could be made\nto improve the overall security posture of the Consumer Center (formerly known as the National\nCall Center). The original report contained one hundred three (103) specific findings.\n\nThe objective of our recent follow-up audit was to determine the status of sixty-six (66) of the\noriginal one hundred three (103) conditions. Specifically excluded were conditions from the\noriginal audit related to physical security and other conditions determined by the IG to be outside\nthe scope of the audit. The guideline for performing this audit was the Federal Information\nSystem Control Audit Manual (FISCAM). Additional guidance was received from the National\nInstitute of Standards and Technology (NIST) and other laws and directives related to\nmanagement and protection of Federal information resources including the FCC\xe2\x80\x99s \xe2\x80\x9cComputer\nSecurity Program Directive\xe2\x80\x9d (FCC Instruction 1479.2).\n\nOf the sixty-six (66) conditions that were reviewed, the audit identified twenty-one (21)\nconditions with an \xe2\x80\x98open\xe2\x80\x99 status, forty-five (45) with a \xe2\x80\x98closed\xe2\x80\x99 status, and four (4) new control\nweaknesses. Represented in the open conditions were twenty (20) that had been reported as\nresolved by FCC management prior to the audit. From our review we ascertained that some of\nthese conditions had to be re-opened for reasons including the degradation of security controls\nafter initial corrective actions were taken, introduction of new hardware which may not have\nbeen properly configured, or subsequent changes made by personnel with administrative and\nmaintenance duties. As we conducted the follow-up audit and identified open conditions, FCC\nmanagement took proactive measures to initiate resolution of findings that remained open.\n\nThe final report (Audit Report No. 01-AUD-07-30) issued from the follow-up audit is attached\nas Appendix B to this submission.\n\nFY2003 Audit of RAMIS Application Controls\nIn the current fiscal year, we initiated an audit of the application and security controls over the\nCommission\xe2\x80\x99s RAMIS application. RAMIS is the Commission\xe2\x80\x99s internal revenue management\nsystem that supports application and regulatory fee accounting, spectrum auction loan portfolio\nmanagement, accounting for auction proceeds, accounting for enforcement actions, and other\naccounts receivable.\n\nThe objective of this audit was to determine the extent and effectiveness of RAMIS application\nand security controls. The audit has been substantially completed and is in progress. During the\naudit we noted several positive observations as summarized below:\n\n   \xc2\x84   The FCC\xe2\x80\x99s Computer Security Program office conducted a physical security review of the\n       contractor\xe2\x80\x99s facility. In response to observations of security controls at the facility, FCC\n       management took appropriate action to improve the security of the RAMIS production\n       and test servers.\n\n   \xc2\x84   No vulnerabilities were identified during a limited external penetration testing of the\n       application and related network devices included in the scope the assessment.\n\n   \xc2\x84   RAMIS passwords are being encrypted.\n\n                                                                                                      7\n\x0c   \xc2\x84   Strong root passwords are in use on the production server and the administrative\n       workstation.\n\nThe final report will include and discuss weaknesses in the areas of audit trails, user account and\npassword management, segregation of duties, and contractor oversight. The details of weakness\nidentified and corresponding recommendations will be released in the final audit report expected\nto be issued by November 30, 2003.\n\nFCC\xe2\x80\x99s timely implementation of corrective actions to remediate the weaknesses identified by our\nFY 2003 independent evaluations and previous audits and special reviews will increase the\neffectiveness of the agency\xe2\x80\x99s information security program and practices. As prescribed by\nOMB Memoranda M-03-19 dated August 6, 2003 and entitled, \xe2\x80\x9cReporting Instructions for the\nFederal Information Security Management Act and Updated Guidance of Quarterly IT Security\nReporting\xe2\x80\x9d, POA&Ms for each vulnerability identified should be developed with milestones,\ncompletion dates, and budget resources required to implement corrective actions. Finally the\nagency should continue to actively report on and monitor the correction of vulnerabilities\nthrough the POA&M process.\n\n\n\n\n                                                                                                  8\n\x0c                    APPENDIX A\n\n\n\n\nFY 2003 Federal Information Security Management Act\n          (FISMA) Independent Evaluation\n\n\n\n\nFederal Communications Commission - Office of Inspector General\n\n  Responses to OMB Memorandum M-03-19 FY2003 FISMA\n                   Reporting Questions\n\x0cA.1. Identify the agency\xe2\x80\x99s total IT security spending and each individual major operating division or bureau\xe2\x80\x99s IT security spending\nas found in the agency\xe2\x80\x99s FY03 budget enacted. This should include critical infrastructure protection costs that apply to the\nprotection of government operations and assets. Do not include funding for critical infrastructure protection pertaining to lead\nagency responsibilities such as outreach to industry and the public.\n                                                                                               FY03 IT Security Spending         ($\nBureau Name                                                                                            in thousands)\nFederal Communications Commission (FCC)                                                                  $4,100\nAgency Total                                                                                             $4,100\n\x0cA.2a. Identify the total number of programs and systems in the agency, the total number of systems and programs reviewed by the\nprogram officials and CIOs in FY03, the total number of contractor operations or facilities, and the number of contractor\noperations or facilities reviewed in FY03. Additionally, IGs shall also identify the total number of programs, systems, and\ncontractor operations or facilities that they evaluated in FY03.\n\n\n                                                                                                                           FY03 Contractor\n                                                                          FY03 Programs           FY03 Systems          Operations or Facilities\n                                                                        Total  Number   Total               Number   Total            Number\nBureau Name                                                             Number Reviewed Number              Reviewed Number *         Reviewed\nOffice of the Inspector General                                                 1           1          19          2              6              1\n\n\nOffice of the Managing Director                                                 1           1          19          19             6              0\nAgency Total                                                                    1           1          19          19             6              0\n\n\nb. For operations and assets under their control, have agency\nprogram officials and the agency CIO used appropriate methods\n(e.g., audits or inspections) to ensure that contractor provided\nservices or services provided by another agency for their\nprogram and systems are adequately secure and meet the\nrequirements of FISMA, OMB policy and NIST guidelines,\nnational security policy, and agency policy?                                    Yes               X               No\nc. If yes, what methods are used? If no, please explain why.            The FCC Computer Security Officer (CSO) has performed a FISMA\n                                                                        program review of the Office of the Managing Director's (OMD)\n                                                                        Information Technology Center (ITC) using the NIST Self-\n                                                                        Assessment Guide.\nd. Did the agency use the NIST self-assessment guide to\nconduct its reviews?                                                             Yes              X                 No\ne. If the agency did not use the NIST self-assessment guide and\ninstead used an agency developed methodology, please confirm\nthat all elements of the NIST guide were addressed in the agency\nmethodology.                                                                     Yes             N/A                No\n* - Total based on external contract entities that process FCC data at an offsite location. This total includes Digital Systems Group, Mellon\nBank, JP Morgan/Chase Bank, Colsen Bank, The National Finance Center, and The National Business Center.\n\x0cA.3. Identify all material weakness in policies, procedures, or practices as identified and required to be reported under existing\nlaw in FY03. Identify the number of material weaknesses repeated from FY02, describe each material weakness, and indicate\nwhether POA&Ms have been developed for all of the material weaknesses.\n                                                                                FY03 Material Weaknesses\n                                                                    Total Number                                          POA&Ms\n                                                          Total     Repeated from Identify and Describe Each Material    developed?\nBureau Name                                              Number         FY02                   Weakness                     Y/N\nFederal Communications Commission                               3                3 Lack of compliance with OMB                Y\n                                                                                   Circular A-130 Requirement for a\n                                                                                   Comprehensive Security Plan.\n\n                                                                                   Inadequacies and Inconsistencies in\n                                                                                   the Mainframe and Network and\n                                                                                   Network Access Request Process.\n\n                                                                                   The FCC does not possess an\n                                                                                   Information Technology Center (ITC)\n                                                                                   Contingency or Disaster Recovery\n                                                                                   Plan.\n\n\nAgency Total                                                    3            3\n\nSources: Report on the Federal Communications Commission Fiscal Year 2001 Financial Statement Audit, April 30, 2002. Report on the\nFederal Communications Commission Fiscal Year 2002 Financial Statements Audit, January 31, 2003\n\x0cA.4. This question is for IGs only. Please assess whether the\nagency has developed, implemented, and is managing an\nagency-wide plan of action and milestone process that meets\nthe criteria below. Where appropriate, please include\nadditional explanation in the column next to each criteria.   Yes                                          No\n\nAgency program officials develop, implement, and manage\nPOA&Ms for every system that they own and operate (systems\nthat support their programs) that has an IT security weakness.         Yes\nAgency program officials report to the CIO on a regular basis (at\nleast quarterly) on their remediation progress.                        Yes\nAgency CIO develops, implements, and manages POA&Ms for\nevery system that they own and operate (systems that support\ntheir programs) that has an IT security weakness.                      Yes\nThe agency CIO centrally tracks and maintains all POA&M\nactivities on at least a quarterly basis.                              Yes\n\n\n\n\n                                                                                                           No - The FCC's OMD has\n                                                                                                           established responsibility for audit\n                                                                                                           follow-up within the agency's\n                                                                                                           Performance Evaluation and\n                                                                                                           Records Management (PERM)\n                                                                                                           division under OMB Circular A-50\n                                                                                                           guidelines. Treating the POA&M\n                                                                                                           as the IG tool for tracking IT\n                                                                                                           security findings would create\n                                                                                                           parallel systems that duplicate the\n                                                                                                           same function. FCC-OIG\n                                                                                                           submitted comments on the draft\n                                                                                                           FY03 FISMA guidelines to OMB\n                                                                                                           by e-mail. In the e-mail, FCC-OIG\n                                                                                                           noted this long-standing practice\n                                                                                                           of the Commission and requested\n                                                                                                           of OMB that security guidance\nThe POA&M is the authoritative agency and IG management tool                                               allow flexibility for other offices\nto identify and monitor agency actions for correcting information                                          within an agency to be the\nand IT security weaknesses.                                                                                authority for managing IT findings.\n\n\n\n                                                                        Yes - FY2004 business cases\n                                                                        identified the anticipated\n                                                                        spending on IT security,\n                                                                        including the correction of\n                                                                        identified weaknesses as well\n                                                                        as other IT-security costs.\n                                                                        Beginning with FY2005, in\n                                                                        accordance with FISMA\nSystem-level POA&Ms are tied directly to the system budget              POA&M guidelines, agency\nrequest through the IT business case as required in OMB budget POA&Ms will include the\nguidance (Circular A-11) to tie the justification for IT security funds amount of funding resources\nto the budget process.                                                  identified in IT business cases.\n\x0cA.4. This question is for IGs only. Please assess whether the\nagency has developed, implemented, and is managing an\nagency-wide plan of action and milestone process that meets\nthe criteria below. Where appropriate, please include\nadditional explanation in the column next to each criteria.   Yes   No\n\n\n                                                                    No - Weakness identified during\n                                                                    IG audits are incorporated into the\n                                                                    agency POA&Ms however,\n                                                                    quarterly POA&Ms where not\nAgency IGs are an integral part of the POA&M process and have       distributed to the FCC IG during\naccess to agency POA&Ms.                                            the fiscal year.\n\n\nThe agency's POA&M process represents a prioritization of           No - Agency POA&Ms are not\nagency IT security weaknesses that ensures that significant IT      being prioritized to identify\nsecurity weaknesses are addressed in a timely manner and            significant IT security\nreceive, where necessary, appropriate resources.                    weaknesses.\n\x0cB.1. Identify and describe any specific steps taken by the The FCC Chairman has specifically directed the agency Chief Information Officer (CIO) to appoint\nagency head to clearly and unambiguously set forth         the CSO to act as the single point of contact for implementing the Security Act provisions and\nFISMA's responsibilities and authorities for the agency assessing compliance at all levels of the agency. While program officials are responsible for\nCIO and program officials. Specifically how are such       specific missions within the Bureau of Office, the CIO has been directed to centrally manage IT\nsteps implemented and enforced?                            security for the agency. This mandate has been implemented through the assignment of a CSO\n                                                           and the development of a Computer Security Program Plan, which when completed will supplement\n                                                           the Information Technology Center Strategic Plan. The CSO is also responsible for developing and\n                                                           maintaining the system security plan for each major application and general support system to\n                                                           support each FCC Bureau and Office.\n\n\nB.2. Can a major operating component of the agency             No - We noted during our audit of the Auctions IT capital investment practices, beginning with the\nmake an IT investment decision without review by and           FY 2003 Auctions budget request, the FCC began managing the Auctions cost budget development\nconcurrence of the agency CIO?                                 process in a similar fashion to the overall appropriated budget process for the agency. In July of\n                                                               2002, the FCC finalized its Information Technology (IT) Strategic Plan. This plan provides a high-\n                                                               level framework for the Commission's IT capital investment process.\n\n\nB.3. How does the head of the agency ensure that the           The FCC Systems Development Life Cycle (SDLC) provides specific activities and tasks that must\nagency\xe2\x80\x99s information security plan is practiced                be followed in managing medium to large-scale systems. The SDLC process was modified to\nthroughout the life cycle of each agency system?               specifically identify security controls and processes to be addressed at each stage of the SDLC,\n                                                               including system security plan development, security test and evaluation, and certification and\n                                                               accreditation.\n\n\nB.4. During the reporting period, did the agency head        During FY 2003 the FCC CSO performed a FISMA self-assessment review of the FCC ITC. This\ntake any specific and direct actions to oversee the          review focused on the managerial, operational, and technical aspects of the FCC's information\nperformance of 1) agency program officials and 2) the        technology security.\nCIO to verify that such officials are ensuring that security\nplans are up-to-date and practiced throughout the\nlifecycle of each system?\n\n\nB.5. Has the agency integrated its information and             For the Commission's information technology resources, physical and operational security are\ninformation technology security program with its critical      integrated and centrally managed under a single program. The Director of the ITC is designated as\ninfrastructure protection responsibilities, and other          the Commission's CIO. The CIO is responsible for establishing the agency's computer security\nsecurity programs (e.g., continuity of operations, and         program inclusive of network and application security plans, continuity of operations/disaster\nphysical and operational security)?                            recovery plans, and incident handling procedures, as well as authorizing systems to operate.\n\n\nB.6. Does the agency have separate staffs devoted to           The FCC is an independent agency of the United States Federal Government and reports directly to\nother security programs, are such programs under the           congress. Within this agency is the ITC, which supports the Information Technology related needs\nauthority of different agency officials, if so what specific   its mission and employees. A sub-department of the ITC is the Computer Security Program (CSP),\nefforts have been taken by the agency head or other            which provides an agency-wide Information Technology security function for the entire agency. The\nofficials to eliminate unnecessary duplication of              CSO is responsible for the development, administration, and oversight of the Commission's IT\noverhead costs and ensure that policies and procedures         security programs. Among the CSO's duties is developing and reviewing general support syste and\nare consistent and complimentary across the various            major application security plans, Continuity of Operations Plan (COOP) and contigency plans, and\nprograms and disciplines?                                      incident handling procedures, as well as assisting the FCC bureaus and offices with IT system\n                                                               security program development and administration. Oversight of physical security of the\n                                                               Commission has been assigned to the Commission's Security Officer. The Security Officer is\n                                                               responsible for agency security operations including physical security, employee and contractor\n                                                               badges, lock and key services, site guard services, and a security operations center.\n\n                                                               The FCC Wireless Telecommunication Bureau Auctions Automation Branch also has one\n                                                               staff-member responsible for reviewing security on the Auction general support\n                                                               system and on all Auctions related major application. This staff person is\n                                                               independent of the FCC CSO. The Auctions Operations Branch has in place a contract with\n                                                               a third party responsible for outsourced, off-hours intrusion detection within\n                                                                the Auctions general support system.\n\x0cB.7. Identification of agency's critical operations and assets (both national critical operations and assets and mission critical) and\nthe interdependencies and interrelationships of those operations and assets.\na. Has the agency fully identified its critical operations and assets, including their\ninterdependencies and interrelationships?                                                       Yes                    X No\nb. If yes, describe the steps the agency has taken as a result of the review.                   The FCC CSO has performed a FISMA\n                                                                                                self-assessment of the ITC in order to\n                                                                                                identify all critical operations and assets.\n\n\n\n\nc. If no, please explain why.\n\x0cB.8. How does the agency head ensure that the agency, including all components, has documented procedures for reporting\nsecurity incidents and sharing information regarding common vulnerabilities?\n\nThe FCC developed a Computer Incident Response Guide that contains specific response instructions, a standardized form for reporting\nincidents, and guidance for reporting outside of the agency. The report form used in the guide was modeled after the FedCIRC and FBI-\nNIPC formats. This form includes a section for sharing information outside of the agency.\n\nThe FCC has also formed a Computer Incident Response Team (CIRT). The team's focal point is the mitigation of impact from computer\nrelated incidents at the Commission. The team is comprised of technical experts in the fields of personal computing, network design and\nfunctionality, telecommunications, application development and management, and security and investingations. The CIRT is broken into 4\nsub-teams comprised of individuals from the Applications Integrations Group (AIG), the Network Development Group (NDG), the Operations\nGroup (OG), and the Auctions Operational Branch (Auctions).\n\n\n                                                                                  The CSO serves as the principal contact for the FCC\n                                                                                  CIRT. To support information sharing, the CSO reports\n                                                                                  to, and works closely with, the CIO, the Federal\n                                                                                  Computer Incident Response Capability (FedCIRC)\n                                                                                  managed by the GSA, the FBI - National Infrastructure\na. Identify and describe the procedures for external reporting to law             Protection Center (FBI - NIPC), and the Computer\nenforcement authorities and to the Federal Computer Incident Response             Emergency Response Team (CERT) at Carnegie Melon\nCenter (FedCIRC).                                                                 University, as well as others.\nb. Total number of agency components or bureaus.                                  17\nc. Number of agency components with incident handling and response\ncapability.                                                                       3\nd. Number of agency components that report to FedCIRC.                            1\ne. Does the agency and its major components share incident information\nwith FedCIRC in a timely manner consistent with FedCIRC and OMB\nguidance?                                                                Yes\nf. What is the required average time to report to the agency and FedCIRC\nfollowing an incident?                                                   24 Hours\ng. How does the agency, including the programs within major components, The FCC uses custom scripts, developed by the\nconfirm that patches have been tested and installed in a timely manner?  Application Integrations Group (AIG), to ensure that all\n                                                                         systems are using the most current and up-to-date\n                                                                         patches. The level of system patching is also reviewed\n                                                                         for each major application and general support system\n                                                                         during the Security Test and Evaluation (ST&E) portion\n                                                                         of the system's Certification and Accreditation (C&A)\n                                                                         examination.\nh. Is the agency a member of the Patch Authentication and Distribution\nCapability operated by FedCIRC?                                                   Yes                        No            X\n\ni. If yes, how many active users does the agency have for this service?           N/A\nj. Has the agency developed and complied with specific configuration\nrequirements that meet their own needs?                                           Yes           X            No\nk. Do these configuration requirements address patching of security\nvulnerabilities?                                                                  Yes           X            No\n\x0cB.9. Identify by bureau, the number of incidents (e.g., successful and unsuccessful network penetrations, root or user account\ncompromises, denial of service attacks, website defacing attacks, malicious code and virus, probes and scans, password access)\nreported and those reported to FedCIRC or law enforcement.\n                                                                           Number of incidents reported externally to FedCIRC\nBureau Name            Number of incidents reported                        or law enforcement\nFederal\nCommunications                                                             Three of the 27 incidents were reported to FedCIRC in\nCommission             A total of 27 incidents were reports in FY 2003.    FY 2003.\n\x0cC.1. Have agency program officials and the agency CIO: 1) assessed the risk to operations and assets under their control; 2) determined the level of\nsecurity appropriate to protect such operations and assets; 3) maintained an up-to-date security plan (that is practiced throughout the life cycle) for each\nsystem supporting the operations and assets under their control; and 4) tested and evaluated security controls and techniques? By each major agency\ncomponent and aggregated into an agency total, identify actual performance in FY03 according to the measures and in the format provided below for the\nnumber and percentage of total systems.\n\n\n\n\n                                                                                            Number of           Number of                              Number of\n                                                                                            systems with        systems for                            systems for\n                                                                Number of                   security control    which security                         which\n                                           Number of systems systems that Number of costs                       controls have      Number of           contingency\n                                           assessed for risk    have an up- systems         integrated into     been tested        systems with a      plans have\n                                           and assigned a level to-date IT    certified and the life cycle of   and evaluated      contingency         been tested\n                             Total         or risk              security plan accredited the system             in the last year   plan *              *\n                             Number of No. of            % of\nBureau Name                  Systems   Systems         Systems    No.     %     No.       %     No.    %          No.      %        No.       %         No.       %\nFederal Communications\nCommission                           19           10        53%     19 100%           8   42%     19   100%         10     53%            1       5%          1   5%\nAgency Total                          19          10        53%     19 100%           8   42%     19   100%         10     53%            1       5%          1   5%\n* - Denotes the FCC Auctions COOP, which only covers the Automated Auctions System (AAS).\n\x0cC.2. Identify whether the agency CIO has adequately maintained an agency-wide IT security\nprogram and ensured the effective implementation of the program and evaluated the\nperformance of major agency components.\nHas the agency CIO maintained an        Yes, FCC Directive FCCINST 1479.2 serves as the\nagency-wide IT security program? Y/N overall FCC-wide IT Security Program. This plan has\n                                        been approved by the FCC CIO and has been given a\n                                        5 year lifespan. The plan will expire in October 2006.\n\n\nDid the CIO evaluate the performance of Yes\nall agency bureaus/components? Y/N\n\nHow does the agency CIO ensure that       The FCC CSO has performed an review of the FCC\nbureaus comply with the agency-wide IT    using the NIST Self-Assessment Guide.\nsecurity program?\nHas the agency CIO appointed a senior     An FCC CSO and Deputy CSO have been appointed\nagency information security officer per   by the FCC CIO.\nthe requirements in FISMA?\n\nDo agency POA&Ms account for all          Yes\nknown agency security weaknesses\nincluding all components?\n\x0cC.3. Has the agency CIO ensured security training and awareness of all agency employees, including contractors and those employees with\nsignificant IT security responsibilities?\n\n                                                                  Agency employees with\n                                            Total number of       significant security                                                Total costs\nTotal number    Agency employees that       agency employees      responsibilities that                                               for\nof agency       received IT security        with significant IT   received specialized                                                providing\nemployees in    training in FY03            security              training                                                            training in\nFY03            Number       Percentage     responsibilities      Number        Percentage   Briefly describe training provided       FY03\n\n\n                                                                                             The FCC ITC and the CSP provide\n                                                                                             initial security awareness for general\n                                                                                             and detailed security related topics.\n                                                                                             The CSP also develops and teaches\n                                                                                             quarterly IT security briefs on topics\n                                                                                             relevant to the FCC. In addition, the\n                                                                                             CSP develops IT security notices and\n                                                                                             bulletins, which are posted on the FCC\n         2582         2582           100%                    64            56            88% Intranet site.                               $26,000\n\n\n\n                                                                                                                                      .\n\x0cC.4. Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and investment control process? Were IT security requirements and\ncosts reported on every FY05 business case (as well as in the exhibit 53) submitted by the agency to OMB?\n\n\n                                                     Did the agency program official       Did the agency CIO plan and\n                              Number of business     plan and budget for IT security       budget for IT security and             Are IT security costs reported in\n                              cases submitted to     and integrate security into all of    integrate security into all of their   the agency's exhibit 53 for each\nBureau Name                   OMB in FY05            their business cases? Y/N             business cases? Y/N                    IT investment? Y/N\n\n\n                                                                                           Yes, a percentage of the funding       Yes, a percentage of the funding\n                                                     Yes, the total dollar amount for IT   dedicated to IT security for each      dedicated to IT security for each\nFederal Communications                               security is noted in each business    function is denoted in each business   function is denoted in the overall\nCommission                               6           case.                                 case.                                  agency-wide OMB 53.\n\x0cQuarterly POA&M Updated Information                                                                            Programs   Systems\na. Total number of weaknesses identified at the start of the quarter.                                          N/A*       N/A*\nb. Number of weaknesses for which corrective action was completed on time (including testing) by the end of the\nquarter.                                                                                                        N/A*      N/A*\nc. Number of weaknesses for which corrective action is ongoing and is on track to complete as originally\nscheduled.                                                                                                     N/A*       N/A*\nd. Number of weaknesses for which corrective action has been delayed including a brief explanation for the\ndelay.                                                                                                         N/A*       N/A*\n\ne. Number of new weaknesses discovered following the last POA&M update and a brief description of how they\nwere identified (e.g., agency review, IG evaluation, etc.).                                                    N/A*       N/A*\n* - FISMA Guidance provide by OMB does not require agency OIGs to complete this section\n\x0c                                              Quarterly IT Security Performance Measures Update\n\n\n                                                                                                  Number of\n                                                                                                  systems for\n                                                                                  Number of       which\n                                    Number of                                     systems with security                         Number of\n                                    systems          Number of                    security        controls have                 systems for\n                                    assessed for     systems that Number of control costs been tested             Number of     which\n                                    risk and         have an up-to- systems       integrated into and             systems with contingency\n                                    assigned a level date IT        certified and the life cycle evaluated in     a contingency plans have\n                         Total      or risk          security plan accredited of the system the last year         plan          been tested\n                         Number\n                         of          No. of    % of\nBureau Name              Systems    Systems   Systems   No.    %      No.       %     No.    %      No.    %       No.       %     No.       %\nFederal Communications\nCommission                     19        10       53%     19   100%         8   42%     19   100%     10   53%           5   26%         0   0%\nAgency Total                   19        10       53%     19   100%         8   42%     19   100%     10   53%           5   26%         0   0%\n\x0c"